最新消息:

boto3 Enforcing TLS 1.2

技术相关 admin 437浏览

调用AWS API接口跨国际到海外的HTTPS流量会受到某些已知因素的影响,导致TLSv1.3的流量受到影响。

https://www.zdnet.com/article/china-is-now-blocking-all-encrypted-https-traffic-using-tls-1-3-and-esni/
https://www.medianama.com/2020/08/223-china-blocks-https-traffic/
https://www.theregister.com/2020/08/11/china_blocking_tls_1_3_esni/

 

当client–server最终协商使用TLSv1.2加密时,抓包中可以看到Client Hello及后续Data传输均为Protocol为TLSv1.2。 当client–server使用TLSv1.3加密时,抓包中可以看到Client Hello的Protocol为TLSv1。而这种“降级”的现象,从一些文档中提到,通常中间设备或浏览器等,在遇到连接失败,协议不当时,则会尝试downgrade降级处理。 https://zhuanlan.zhihu.com/p/33489365

处理正常的请求最终应该是双方选择TLS1.2进行的;而当选择TLSv1.3加密的那次请求,则可能被’已知因素‘丢弃。 因此从抓包也可以看到客户端的多次TCP重传。

 

为解决以上问题AWS 中有介绍:

https://boto3.amazonaws.com/v1/documentation/api/latest/guide/security.html#enforcing-tls-1-2

以上方法有些复杂,

简洁方式可参考:https://github.com/boto/botocore/issues/2488

在原有代码的基础上进行了简单修改:

 

from botocore import httpsession
from urllib3.util.ssl_ import (
    OP_NO_SSLv2, OP_NO_SSLv3, OP_NO_COMPRESSION
)
from _ssl import (OP_NO_TLSv1, OP_NO_TLSv1_1,OP_NO_TLSv1_2,OP_NO_TLSv1_3)
def custom_create_urllib3_context(ssl_version=None, cert_reqs=None, options=None, ciphers=None):
    if options is None:
        options = 0
    # Default options from botocore
    # SSLv2 is easily broken and is considered harmful and dangerous
    options |= OP_NO_SSLv2
    # SSLv3 has several problems and is now dangerous
    options |= OP_NO_SSLv3
    # Disable compression to prevent CRIME attacks for OpenSSL 1.0+
    # (issue urllib3#309)
    options |= OP_NO_COMPRESSION
    # OUR new options
    options |= OP_NO_TLSv1
    options |= OP_NO_TLSv1_1
    options |= OP_NO_TLSv1_3
    #options |= OP_NO_TLSv1_2
    return httpsession._original_create_urllib3_context(options=options)
在python代码的开始增加以下代码:

    httpsession._original_create_urllib3_context = httpsession.create_urllib3_context
    httpsession.create_urllib3_context = custom_create_urllib3_context

转载请注明:Kermit的网站 » boto3 Enforcing TLS 1.2